A Closer Look at NIST 800-171: The Access Control Family

The first of the fourteen families within the NIST 800-171 standard is Access Control. This family is all about who you authorize to view or access your assets and controlling how they are allowed to access your system.

Why is Access Control important?

All of us have assets that, if compromised, would result in a loss to our businesses. We also have information that we share publicly and freely. On websites and social media we share information about our mission, our staff, our products or services, and even some of our clients. But, we would never share our staff members’ social security numbers, our intellectual property, our detailed operating procedures, or our schematics in a public area where anyone and everyone can access it. Instead, we control who within our organization is authorized to view such information.

What is Access Control about in NIST 800-171?

There are 22 requirements within Access Control family, making it the densest family within the standard. The main focus of this family is to limit system access to only trusted users and devices. Some key points addressed within this family are:

Limit access to systems to authorized users–authorized users (employees, contractors, etc.) are assigned system accounts and system role. No users without assigned account login credentials are allowed to access the system.

Tailor access to job role and duties–assigned system roles or permissions should mirror the job requirements for the individual. For example, perhaps only financial personnel should be able to access budget workbooks and therefore access to these files would be denied for other job roles.

Restrict access to admin functions–assign edit or modify permissions only to those authorized users who actually make the changes. View permission can be shared with others as needed.

Control remote access to your systems–establish requirements and restrictions for remote access including the levels of access that are permitted to authorized users while they are using remote access.

Control wireless and mobile device access to your systems–establish wireless and mobile device guidelines and restrictions. Verify and permit only trusted devices operated by authorized users.

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.

2 Comments

Phil
on February 2, 2019 at 10:50 pm

Thanks for leading this discussion. Can access control processes be used to block how data from things like memory sticks connect into the system?

Katherine Bennett
on February 5, 2019 at 3:01 pm

Phil,

While blocking memory sticks and other removable storage devices may fall more under the Configuration Management family of the NIST 800-171 standards, you can include settings within your endpoint protection application that can help with access control when using devices. Endpoint protection applications allow you to control or block data from removable storage devices. You can use the settings to establish administrator overrides that would permit only authorized users on your system with the override authority to allow the device to run on the endpoint computer. We will have a series of posts that go through the NIST 800-171 families over the coming weeks. If you are interested in learning more about the Configuration Management or other families, please check back!